Self-contained payment system with circulating digital vouchers

ABSTRACT

A self-contained payment system uses circulating digital vouchers for the transfer of value. The system creates and transfers digital vouchers. A digital voucher has an identifying element and a dynamic log. The identifying element includes information such as the transferable value, a serial number and a digital signature. The dynamic log records the movement of the voucher through the system and accordingly grows over time. This allows the system operator to not only reconcile the vouchers before redeeming them, but also to recreate the history of movement of a voucher should an irregularity like a duplicate voucher be detected. These vouchers are used within a self-contained system including a large number of remote devices which are linked to a central system. The central system can e linked to an external system. The external system, as well as the a remote devices, are connected to the central system by any one or a combination of networks. The networks must be able to transport digital information, for example the internet, cellular networks, telecommunication networks, cable networks or proprietary networks. Vouchers can also be transferred from one remote device to another remote device. These remote devices can communicate through a number of methods with each other. For example, for a non-face-to-face transaction the internet is a choice, for a face-to-face or close proximity transactions tone signals or light signals are likely methods. In addition, at the time of a transaction a digital receipt can be created which will facilitate a fast replacement of vouchers stored in a lost remote device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a continuation of application Ser. No. 08/684,218 filed Jul. 19,1996.

BACKGROUND OF THE INVENTION

1. Technical Field

This invention relates to the general field of payment systems, and moreparticularly, to a self-contained payment system using digital vouchersfor payments from individual to individual, individual to business, frombusiness to individual and from business to business.

2. Description of the Prior Art

Today, there are a number of different payment systems in use allowingan individual or a business to make payment to another individual orbusiness. The most common are paper bills and coins, debit and creditcards, checks, traveler checks and others. Newer forms, many still infield trial stage, are home banking, smart card based methods or on-linemethods for the internet and intranets.

These payment systems are all sub optimal because they are limited inthe scope of how and in what situations they can be used. Therefore, itis necessary today to use a range of payment systems in parallel:

Paper bills and coins are anonymous in use, can be used freely fromindividual to individual, individual to business, from business toindividual and from business to business. However, they require aphysical transfer, and micro payments of less than $0.01 are notpossible, payments must be divisible by $0.01. If lost or stolen, paperbills and coins cannot be replaced.

Debit and credit cards protect the user against loss and fraud. However,the transactions are not anonymous and they can only be used to paymerchants who are registered with the appropriate debit or creditorganization. In addition, small payments (less than $5) are generallynot accepted.

Checks are practical to send a payment to another distant party. Theyalso protect the user against loss. However, since they are a paperbased system, they need to be physically transported to the recipient'sbank which can be a multiple-step and time-consuming process. Inaddition, the funds are often not immediately available to therecipient, who might have to wait until the check cleared the bank.Check payments are not anonymous. Payments of less than $0.01 are notpossible.

Home banking as a payment system replaces generally the physical checkwith an electronic check, shortening the time for the recipient toreceive the funds. However, the other disadvantages with respect tochecks remain. In addition, home banking requires a PC with a modem.

Smart card based systems. The smart card is used as a medium of storagefor value. The cards act in conjunction with a reader to allow payment.Therefore, a physical contact needs to be established between the payerand the payee. There are a number of different underlying technologicalapproaches:

One technology approach (such as the field trial by Mondex in the UK) isanonymous, modeled after the paper bill and coin system. Currency canfreely and without restrictions be moved from individual to individual,individual to business from business to individual and from business tobusiness. These systems so far do not work for internet transactions andpayments of less than $0.01 are not possible, payments must be divisibleby $0.01. If lost, the funds cannot be replaced.

Most other smart card approaches are mostly non-anonymous and arelimited to a payment from an individual to a registered merchant, inaddition the merchant can not use the funds immediately, the funds mustfirst clear the banking system. (examples are the technologies behindfield trials such as Visa Cash, MasterCard, Proton, EC-Card, AmericanExpress, Smart Cash). If lost they generally can not be replaced, theexception is the American Express system which is modeled after thetraveler check business.

Internet systems (such as CyberCash, NetBill, First Virtual, DigiCash orMillicent) are all in an early development or field trial state. Theyplan to offer micro payment options (First Virtual and CyberCash about$1 as smallest transaction, others about 1 cent). However, all thesesystems are limited, they can only be used on the internet. There is nopayment system which can work on the internet ("on-line") as well as"off-line". Furthermore, most approaches can only handle payments froman individual to a merchant, the exception being a planned system forDeutsche Bank in Germany by DigiCash which is expected to allowindividual to individual payments. Questions of anonymity are mostly notresolved at this time. DigiCash, a Dutch company is offering ananonymous approach. Most US based systems in development (for exampleCyberCash, Millicent) are mostly not anonymous.

Therefore, from a user's point of view all payment systems in existenceas well as in development have a range of shortcomings. An ideal paymentsystem should fulfill the following criteria:

Same payment system can be used for on-line and off-line payments.

Payments can be made in an on-line environment such as the internet,private networks, telecommunication networks, etc., as well as in anoff-line environment for face-to-face transactions. Funds can be freelytransferred from on-line to off-line and back to on-line.

Payment system can be used universally: pay anyone and receive fundsfrom anyone, person or business, anywhere in the world.

Payments can be made from an individual to a business, from a businessto an individual, from business to business as well as from anindividual to an individual. The payment system can also handle multiplecurrencies.

Payments are available without restrictions and delays once received.

Payments can be freely used as soon as they are received. Furthermore,the transportation of a payment in the case of a non-face to facetransaction is nearly instantaneous regardless of the physical distancebetween the payer and payee

Micro payments of less than $0.01 are possible, which is of value forfuture on-line usage based payment structures.

Privacy is guaranteed, yet the overall payment system is protectedagainst illegal attempts to corrupt the system.

The system in anonymous, the privacy of the individual is protected.However, the system can recognize certain illegal transactions and thetransaction history can be made transparent allowing the tracking ofthese illegal transactions. It is a policy issue not a technical issueto set the rules of revealing an individual's identity and transactionhistory.

Transportation of payments across the network is secure utilizing thelatest encryption technologies.

Funds can be replaced when lost.

Integrity of national and international banking systems is guaranteed.

Irregularities in the payment system are detected and can not enter thebanking system and therefore have no impact on the money supply of acountry.

Receipts for payments are provided.

Multi-purpose use.

Payment system can in addition be used to handle other payment typeprograms such as loyalty programs (for example frequent flier programs)or benefit transfer programs (for example food stamps).

None of the payment systems in use today fulfills all or most of thesecriteria.

The payment system according to the invention fulfills the abovecriteria and is therefore superior to all conventional payment systems.

SUMMARY OF THE INVENTION

The present invention includes circulating digital vouchers withattached logs which contain a history of the transactions experienced bythe voucher. This includes the creation and use of a digital voucher asthe voucher circulates through the self-contained payment system. Adigital voucher includes an identifying element made up of a series ofidentifying digits in an exclusive order. The voucher further includes adynamic log having a series of log digits. Log digits are added wheneverthere is a transaction involving the voucher, thus recording themovement of the voucher through the system. This allows a systemoperator not only to reconcile the vouchers but also to recreate themovement of a voucher. By evaluating the histories of vouchersirregularities can be detected early and be traced to their likelysource. This invention could best be compared to a piece of paper whichcan be redeemed for a liar bill. On this piece of paper, whenever it ishanded to another person, information is written such as the date andthe account number of the person. All information written on the pieceof paper can be in an encrypted form, therefore it is kept disguised andtherefore anonymous. However, if an irregularity is detected in thehistory, the information written on this piece of paper representing thevalue of the dollar bill, can be decrypted by authorized persons and thehistory can then be revealed including the identities of the personsthrough whose hands the piece of paper moved.

The payment system according to this invention is self-contained and maybe linked to an external system. In the case of electronic cash, forexample, the external system is an existing bank. An account number inthe bank is converted into a confidential account number in a centralsystem separate from the external system. Value is transferred into anaccount by creating a digital voucher representing the value in thebank. Simultaneously to the voucher being created, in a paralleltransaction the actual dollar value is transferred into an escrowaccount in the bank. The voucher can now be freely "spent" within thepayment system according to the invention. When the voucher is redeemed,the voucher is inactivated in the central system. During the redemptionwhen the value of the voucher is presented to the bank, the accountnumber in the central system of the person redeeming the voucher istranslated back into the person's account number in the bank. Thisaccount is increased by the value of the voucher presented and theescrow account is decreased by the same value.

Vouchers according to this invention are used within a self-containedsystem including one or more remote devices and a central system. Alarge number of remote devices are linked to the central system. Thecentral system can be linked to an external system. The external systemas well as the remote devices are connected to the central system by anyone or a combination of networks. The networks must be able to transportdigital information such as, for example, the internet, cellularnetworks, telecommunication networks, cable networks or proprietarynetworks. For on-line transactions between the remote devices and thecentral system, the internet is a likely choice. To establish a linkbetween the remote device and the central system, for example todownload vouchers from the central system to the remote device for lateroff-line payments, the telecommunication networks as well as theinternet are likely choices.

Vouchers can also be transferred from one remote device to anotherremote device. These remote devices can communicate through a number ofmethods with each other. For example, for a non-face-to-face transactionthe internet is a choice, for a face-to-face or close proximitytransactions tone signals or light signals are likely methods.

In addition, at the time of a transaction, a digital receipt can becreated which will facilitate a fast replacement of vouchers stored in alost remote device.

If the structure and method according to the invention is applied toelectronic cash, the external system is today's banking and clearinghouse systems linked to the central system using the existing inter banknetworks for signal transport. Therefore, the banking network isseparated securely according to today's standards form theself-contained payment system which uses circulating digital vouchersand reconciles them before they can be redeemed for their dollar valuein the external banking system.

New developments in encryption technology or the setting of new internetstandards such as the envisioned SET (Secure Electronic Transactions)standard which seems to be supported by Visa, MasterCard, Microsoft,Netscape and others are to the advantage of the payment system accordingto the invention and can be easily integrated.

The structure and method according to the invention has numerous andsignificant advantages over all conventional payment systems.

The remote devices can be used in an on-line environment such as theinternet, private networks, telecommunication networks, etc., as well asin an off-line environment such as a face-to-face transaction. Vouchersaccording to the invention can be freely transferred from on-line tooff-line and back to on-line.

Vouchers, according to the invention, can be passed from remote deviceto remote device and therefore from an individual to a business, from abusiness to an individual, from business to business, as well as from anindividual to an individual.

Vouchers, according to the invention, can be used without restrictionsand delays as soon as they have been received.

There is no value limit to a voucher according to the invention,therefore macro and micro payments (less than 0.01) are possible.

The account numbers of the central system can be kept anonymous using atranslation algorithm protected by encryption. Therefore, the system isanonymous and the privacy of the individual is protected. However, thelogs of the vouchers according to the invention can be read byauthorized persons to track irregularities and therefore to prevent andtrace illegal acts such as counterfeiting. It is a policy issue for theoperator of the payment system according to the invention, not atechnical issue, to set the rules for revealing an individual's identityand transaction history.

The transport of vouchers according to the invention through any type ofnetwork is secure. With the help of the attached logs the source ofirregularities (e.g. counterfeiting) is easily and quickly tracked. Inaddition, common encryption technologies, as well as digital signatures,can be applied to add another level of security when the vouchers are intransit.

The integrity of the external system, for example the world financialsystems, is protected. A payment system according to the invention isseparated from the external system. Within the payment system, vouchersare used which are reconciled before they can be redeemed in theexternal system.

A user can receive receipts.

If a remote device gets lost, with the help of the receipts, thevouchers having been stored in the remote device at the time of loss canbe identified and therefore be replaced.

The payment system can handle different currencies.

The payment system according to the invention includes the capability ofbeing used as a multiple purpose system, for example, to manage loyaltyprograms such as frequent flier miles programs and to add otherinformation and data to a voucher at a time of transaction such ascoupons.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1-A is a simplified block diagram of a digital voucher according tothe invention;

FIG. 1-B is a block diagram of a self-contained payment system accordingto the invention linked to an external system;

FIG. 1-C is a simplified flow chart illustrating the circulation of adigital voucher through a self-contained payment system according to theinvention;

FIG. 2 is a block diagram of a remote device according to the invention;

FIG. 3 is a block diagram of a central system according to theinvention;

FIG. 4 is a flow chart showing the circulation of a digital voucherwithin a self-contained payment system linked to an external system,according to the invention;

FIG. 5 is a flow chart showing the steps of evaluating the identifyingdigits and log digits to determine to which destination the voucher willbe transferred to, according to the invention; and

FIG. 6 is an illustration for setting an identifying element as well assetting and increasing a dynamic log of a digital voucher, according tothe invention.

DETAILED DESCRIPTION OF THE INVENTION

Throughout the description, the terms voucher and digital voucher areused interchangeably. In addition, the term programmed device can beused for remote device.

Overview

FIGS. 1-A to 1-C are simplified illustrations helping to provide anoverview and explain key elements according to the invention. Additionaldetails are described in FIGS. 2 to 6.

FIG. 1-A is a simplified block diagram of a digital voucher according tothe invention. A digital voucher 1A consists, according to theinvention, of an identifying element 10000 made up of identifyingdigits, and a dynamic log 20000 made up of log digits. The identifyingelement 10000 may include a set of digits representing a transferablevalue 11000 in an external system for which the voucher 1A can beredeemed, a unique serial number 12000, the account number 13000 whichthe voucher was created for, and any other data 14000, which couldinclude a digital signature from the central system. This digitalsignature can be of any standard such as the SET (Secure ElectronicTransactions) standard which is currently being developed by Visa,MasterCard, Netscape and others. The data of the dynamic log 20000 isincreased whenever there is a transaction involving the voucher 1A,wherein a transaction includes a creation, any use includinginactivation and redemption, or movement of the voucher 1A. The logdigits contain data describing the history of the transactions,21000,22000,23000,24000,25000. These log digits can include atransaction code consisting of information such as the date and time ofthe transaction as well as the identification number of the devicehaving performed the transaction. Other data 26000 not related to thecreation, use or movement history of the voucher 1A may also be added.Therefore, when reading the data contained in the dynamic log of avoucher, the history of the creation, use and movement of the voucher 1Acan be recreated. The identifying element 10000 and dynamic log 20000can at any time be evaluated against a set of criteria to determine towhich of several destinations the voucher will be transferred to in anext step. For example, prior to redeeming a voucher 1A, it can bechecked that a voucher with the same serial number has not been redeemedbefore. If an irregularity appears, the history recorded in the dynamiclog 20000 of all vouchers in question can be evaluated to trace thepotential source of the irregularity.

FIG. 1-B is a block diagram of the self-contained payment systemaccording to the present invention within which a voucher 1A (FIG. 1-A)is used. The system includes two major types of components, remotedevices (programmed devices) such as remote device A 100 or removedevice B 101 and a central system 200. A large number of remote devicessuch as remote device A 100 are linked to the central system 200. Thelinkage is through a network for internal signal transport 300. Thecentral system 200 can, in addition, be linked to an external system500. The external system 500 is connected to the central system by anetwork for external signal transport 400. Both the network for internalsignal transport 300 and the network for external signal transport 400must be able to transport digital information such as, for example, theinternet, cellular networks, telecommunication networks, cable networks,TV networks, LANs or any other kind of computer network. If the paymentsystem according to the invention is used for electronic cash, theexternal system 500 are today's banking and clearing house systemslinked to the central system 200 using the existing inter bank networksand standards for external signal transport. This separates the bankingnetworks securely from the payment system according to the invention.Two remote devices, such as remote device A 100 and remote device B 101can be linked for remote signal transport 600 using one or a variety oftechnologies. For example, the internet, cellular networks,telecommunication networks, cable networks, TV network, LANs or anyother kind of computer network can be used for non-face-to-facetransactions between the two remote devices. For face-to-face, closeproximity transactions, a direct physical contact such as a cableconnection or an indirect contact using tone signals or light signalscan be used.

FIG. 1-C is a simplified flow chart illustrating the circulation of adigital voucher through a self-contained payment system according to theinvention. A voucher 1 is created by the central system 200 representinga transferable value in the external system 500. The creation of thevoucher 1 includes the setting of the identifying element which does notchange as the voucher is circulated as illustrated in this FIG. 1-C.This voucher 1 is placed into a user's A account in the central system200. This is recorded in the dynamic log as history 1. User A can nowtransfer this voucher 1 into the user's remote device A 100. To thevoucher 2, a second history, history 2 recording this transfer is added.As user A transfers the voucher 3 to a second user, user's B remotedevice B 101 a third history recording this transaction is added. Theuser B can either transfer the voucher to a third user C or as shown inthe illustration of FIG. 1-C transfer the voucher to user's B account inthe central system 200. The transfer of the voucher from user's B remotedevice to the central system is recorded as history 4 to the voucher 4.This voucher is now being evaluated to check that a voucher with thesame serial number has not been redeemed earlier. If this voucher hasnot been redeemed before, this voucher is then inactivated and a linkednew voucher is created which is stored in user's B account. This isrecorded as history 5 to the new, linked voucher 5. User B can nowredeem the voucher for its transferable value in the external system 500as shown in the illustration of. FIG. 1-C. The redemption is recorded inthe dynamic log as history 6. The redemption also ends the circulationof the voucher 6 through the payment system according to the invention.

The following more detailed description begins with the description of aremote device (FIG. 2) and a central system (FIG. 3). This is followedby a step-by-step description of the circulation of a digital voucherwithin a self-contained payment system linked to an external system,according to the invention (FIG. 4). The steps of evaluating theidentifying digits and log digits of a voucher to determine to whichdestination the voucher will be transferred to is also explained (FIG.5). Thereafter the setting of an identifying element as well as thesetting of and increasing a dynamic log of a digital voucher accordingto the invention is illustrated (FIG. 6). Thereafter, the creation anduse of digital receipts is illustrated.

Remote Device (Programmed Device)

FIG. 2 is a block diagram of a remote device. The remote device A 100(FIGS. 1-B and 1-C) includes an input signal receiver 110, a processor120, a memory 130, an output signal generator 150, and user controls140. The remote device may also include a display 160. The input signalreceiver 110 receives the signals sent by the network for internalsignal transport 300 (FIG. 1-B), or from a second remote device such asremote device B 101 (FIG. 1-B) through the remote signal transport 600(FIG. 1-B), and sends these to the processor 120. The signals includedigital vouchers as well as possibly operating instructions. Theprocessor 120 stores in and retrieves from the memory 130 the vouchersreceived or to be sent out. The processor 120 furthermore generates andattaches the remote device's set of log digits to the dynamic log of avoucher whenever there is a transaction involving the voucher performedby the remote device. The memory stores in addition to vouchers,information such as the identification number of the remote device A 100(FIG. 1-B), one or several account numbers of the user's centralaccounts in the central system, encryption keys, operating instructionsand receipts of vouchers received. The processor 120 is linked to theoutput signal generator 150 which generates the appropriate signals forthe network for internal signal transport 300 (FIG. 1-B) or for theremote signal transport 600 (FIG. 1-B). The processor 120 is activatedby the user using the user controls 140 or by an incoming signal fromanother remote device or the central system 200 (FIG. 1-B). The usercontrols allow the user to instruct the remote device to establishcontact with the central system 200 (FIG. 1-B), to request any type oftransaction such as to create a voucher and place the voucher in theuser's account in the central system or to transfer the voucher to theuser's remote device. Furthermore, the user controls 140 can be used toestablish a contact between two remote devices and to request any typeof transaction. In addition, the user controls 140 can be used to inputa PIN or password to establish the identity of the user. The display 160which is linked to the processor 120 provides the user with feedbackabout the operation of the remote device. For example, the user can viewthe transaction the user requested, the amount of the transferable valueof the voucher to be sent, or received, as well as review thetransferable values of vouchers left in the memory, or review thereceipts of transactions conducted previously.

The remote device (programmed device) is of great use to users when thedevice is in a small portable structure which can be easily carried in apocket or purse.

A remote device such as remote device (programmed device) A 100 (FIG.1-B) is of conventional electronic and computer components and cantherefore be resident in other devices such as a computer, a phone, acellular phone, a pager, a PDA, a TV or similar devices. The remotedevice thus could share the memory, processor and input and outputsignal generators of a computer. In addition, the remote device does notneed to be in one physical embodiment or structure. It could reside inseveral. For example, the memory 130 can be in a smart card and theremaining components can reside in a computer which has the ability tointeract with the smart card. Or all or part of the memory 130 could belocated in the central system 200 (FIG. 1-B). Therefore, vouchers forexample could only be stored in the central system whereas the accountnumber of the central system, identification number of the remote deviceand encryption keys could be stored in the remote device. Furthermore,to allow a more versatile use, the remote device can have more than oneinput signal receiver 110 and more than one output signal generator 150.

Central System

FIG. 3 is a block diagram of a central system. The central system 200(FIGS. 1-B, 1-C) includes a central output signal generator 210, acentral processor 220, a central input signal receiver 230, a centraloperator controls 240, a central display 280, a central memory 250, anexternal input signal receiver 260, and an external output signalgenerator 270. The central system receives signals from the remotedevice through the central input signal receiver 230 which passes thedata on to the central processor 220. The central processor 220 islinked to the central output signal generator 210 to send signals to aremote device such as remote device A 100 (FIG. 1-B). If the centralsystem 200 (FIG. 1-B) is linked to an external system 500 (FIG. 1-B), itmay have one or more additional external input signal receivers 260 toreceive information from the external system 500 (FIG. 1-B). It also mayhave one or more additional external output signal generators 270 tosend information to the external system 500 (FIG. 1-B). The centralprocessor 220 is also linked to a central memory 250. The central memory250 holds a large number of memory locations which represent accountshaving account numbers. Each user has at least one central account suchas central account A 11 (FIG. 4) in the central system 200 (FIG. 1-B). Auser can store some or all of the user's vouchers in such a centralaccount. The central memory 220 stores in addition to a user's centralaccount such as central account A 11 (FIG. 4), data such asidentification numbers of remote devices, encryption keys, circulatingvoucher account 40 (FIG. 4), inactive voucher account 50 (FIG. 4),redeemed voucher account 60 (FIG. 4), receipts-from-remote deviceaccount 70 (FIG. 4), cancelled voucher account 80 (FIG. 4), blockredemption account 90 (FIG. 4) as well as other data and instructionsneeded for operations, for example. The central memory 250 is linked tothe central processor 220. The central processor 220 performs a largenumber of functions. For example, the central processor 220 stores andretrieves vouchers, creates vouchers, assigns central account numbers tousers, initializes remote devices by generating and transmittingidentification numbers, sets identifying element of a voucher, adds logdigits to the dynamic log of a voucher, evaluates identifying digits andlog digits to for example, check for duplicate vouchers, allows orblocks redemption, inactivates vouchers, redeems vouchers, stores andtracks receipts, breaks large denomination vouchers into a number ofsmaller denomination vouchers, stores and summarizes other informationattached to the vouchers, encrypts and decrypts incoming and outgoingsignals, and checks the authentication of devices and external systemswith which the central system communicates. As will be evident from thediscussion below, there are a number of additional levels of complexityand functionality which can be added and which will further increase thenumber of functions performed by the central processor 220. If thecentral system 200 (FIG. 1-B) is linked to an external system 500 (FIG.1-B) the central processor also manages the data in and out flow to theexternal system 500 (FIG. 1-B). The central system 200 (FIG. 1-B) ismanaged by an operator using the operator controls 240 which are likelya computer input terminal including a keyboard and a control display 280such as a conventional computer screen.

The central system 200 (FIG. 1-B) can reside in a number of differentdevices such as computers which are linked and function together toperform as a central system.

Furthermore, whenever a voucher or other information is sent between aremote device and another remote device, or to and from the centralsystem, the voucher to be sent could be encrypted using a variety ofavailable encryption technologies. Similarly, once the encrypted voucheris received, it must be decrypted by the receiving remote device orcentral system.

In addition, remote devices as well as the central system could, onceconnected, also authenticate each other before continuing transactions.Whenever a remote device is connected to the central system or wheneverthe remote device is connected to another remote device, the deviceidentification numbers are transmitted and checked against previouslyreceived and in memory stored information and commands to possiblyrestrict further transactions. This could also be done by using any ofthe common challenge-response methodologies.

The Circulation of a Digital Voucher Within a Self-Contained PaymentSystem

FIG. 4 is a flow chart showing the circulation of a digital voucherwithin a self-contained payment system linked to an external system,according to the invention. For demonstration purposes, the illustrationdescribed below focuses on electronic cash. A user has a bank accountsuch as an external account A 10 in the external system 500 (FIG. 1-B),whereas the external system is a bank. The central processor 220 (FIG.3) of the central system 200 (FIG. 1-B) when instructed by the operatorusing the operator controls 240 (FIG. 3) sets up a unique account numberfor the central account 11 in the central memory 250 (FIG. 3). Thisaccount number is numerically linked to the account number of theexternal account 10. To do this, the central processor 220 (FIG. 3)could use the same account number of the external account A 10 as usedin the external system. To keep the account number of the centralaccount A 11 anonymous, the central system could disguise that number byusing conventional encryption technologies such as a private and publickey encryption methodology. The encrypted external account number ofexternal account A 10 of the bank becomes the central account number ofthe central account A 11 in the central system 200 (FIG. 1-B).Therefore, the identity of the user in the central system 200 (FIG. 1-B)is disguised. However, by decrypting the central account number of thecentral account A 11, the external account number of the externalaccount A 10 can be revealed and therefore the account holder A can bedetected.

When using the remote device 100 (FIG. 1-B) for the first time, thedevice must be initialized by receiving an identification number fromthe central system 200 (FIG. 1-B). The identification number isnumerically linked to the central account number of the central accountA 11. To do this, for example, user A uses the user controls 140 (FIG.2) of the remote device to establish a connection between the remotedevice 100 (FIG. 1-B) and the central system 200 (FIG. 1-B). User A theninputs the user's central account number of central account A 11 and thecentral system 200 (FIG. 1-B) creates an identification number for theremote device 100 (FIG. 1-B) and sends the identification number to theremote device 100 (FIG. 1-B). The remote device 100 (FIG. 1-B) storesthe identification number in its memory.

How a connection is established depends on the technology used to sendand receive signals from the remote device 100 (FIG. 1-B) to the centralsystem 200 (FIG. 1-B) and similarly from one remote device to anotherone. The technology used also determines the specifications of the inputsignal receivers and output signal generators of the remote devices aswell as the central system. For example, if the remote device resides ina PC which is using the internet to communicate with another remotedevice or the central system, then the input and output generators areconventional modems using the conventional protocols to communicate andestablish a connection. If, for example, the network used is thetelecommunication network, then standard DTMF or FSK tone generators onone end and tone decoders on the other end are used. In a face-to-facetransaction, the two remote devices which are about to exchange avoucher can be brought in close proximity and send, as well as receive,for example, infrared signals.

A voucher is created when user A, using the remote device A 100 (FIG.1-B), requests from the central system 200 (FIG. 1-B) to place a voucherwith transferable value, for example of $5, into the central account A11 and take the funds out of the external account A 10. The balance ofthe external account A 10 of user A is now being decreased by $5. The $5are then being placed into an escrow account 30 at the external system500 (FIG. 1-B), the bank. Simultaneously, the digit 5 representing thetransferable value of the voucher is being sent by the external system500 (FIG. 1-B) to the central system 200 (FIG. 1-B) and is beingdeposited in the central account A 11. Please note the setting theidentifying element and the dynamic log as a voucher is created andtravels through the payment system according to the invention isdescribed in detail in FIG. 6. Now, when user A requests using theremote device A 100 (FIG. 1-B) that a voucher with value 5 is sent tothe user's remote device A 100 (FIG. 1-B) user A also specifies thecentral account out of which to take the voucher. Alternatively, theremote device could be programmed as part of the setup to automaticallyput a user's central account number in unless prompted to do otherwiseby the user. The central system 200 (FIG. 1-B) now takes the voucher outof the specified central account A 11, copies the voucher and places thecopy in the circulating voucher account 40 at the central system 200(FIG. 1-B). The central system 200 (FIG. 1-B) then transmits the voucherusing central output signal generator 210 (FIG. 3) to the remote deviceA 100 (FIG. 1-B). Once received, the voucher is stored in the memory130) (FIG. 2) of remote device A 100 (FIG. 1-B). Once this transactionis completed, the display 160 (FIG. 2) shows the user A confirmation.

Now user A wants to make a payment using remote device A 100 (FIG. 1-B)to user B with remote device B 101 (FIG. 1-B). User A uses the usercontrols 140 (FIG. 2) of the remote device A 100 (FIG. 1-B) to instructthe remote device A to establish contact with the other remote device B101 (FIG. 1-B). User A then requests a transfer of a voucher withtransferable value of 5 from the remote device A 100 (FIG. 1-B) to asecond remote device B 101 (FIG. 1-B). The processor 120 (FIG. 2) takesthe voucher out of memory 130 (FIG. 2) of remote device A (FIG. 1-B) andsends a signal including the voucher to remote device B 101 (FIG. 1-B),thus transferring the voucher to remote device B 101 (FIG. 1-B). Theremote device B 101 (FIG. 1-B) in turn stores the voucher in its memory.

Now user B of remote device B 101 (FIG. 1-B) can transfer the voucher toanother remote device. This would be the same transaction as describedabove. Technically a voucher can be transferred from a remote device toanother remote device an infinite number of times without ever having totransfer the voucher back to the central system 200 (FIG. 1-B). However,from a security point of view it may be desirable to limit the number oftimes of transferring a voucher from a remote device to another remotedevice and thus "force" the voucher back into the central system inregular intervals. This has the advantage that a reconciliation of avoucher, as described below, will take place on a regular basis. Thelimitation of the movement of vouchers can be achieved in a variety ofmanners. For example the voucher could have an expiration date, or aninternal counter to allow only a certain number of transfers, or aremote device could automatically download all vouchers received and notspent whenever a connection is established to the central system.

User B can also transfer the voucher using the remote device B 101 (FIG.1-B) to the central account B 21 located in the central memory 250 (FIG.3). User B uses the user controls 140 (FIG. 2) of the remote device B101 (FIG. 1-B) to instruct the remote device B 101 (FIG. 1-B) toestablish contact with the central system 200 (FIG. 1-B). User B thenrequests to transfer a voucher with transferable value of, for examplefrom the remote device B 101 (FIG. 1-B) to the central system 200 (FIG.1-B). The processor 120 (FIG. 2) of the remote device B 101 (FIG. 1-B)takes the voucher out of its memory, sends a signal including thevoucher to central system 200 (FIG. 1-B), thus transferring the voucherto the central system. The evaluation and reconciliation which takesplace before user's B account is credited is described in FIG. 5 below.

A variation on the circulation of a voucher within the self-containedpayment system according to the invention as outlined above can be apayment system using remote devices which do not include a memorylocation to store vouchers. The vouchers are only stored in a user'scentral account in the central system such as in central account A 11.In this variation, when user A wants to transfer a voucher to anotheruser B, user A must first establish a connection between user's A remotedevice A 100 (FIG. 1-B) and the central system (FIG. 1-B). User A thentransmits user's A central account number, any authorization and, orauthentication information if any, as well as any additional informationwith respect to the remote device which is necessary to be included inthe dynamic log of the voucher when transferred to user B. Thisadditional information could, for example include the identificationnumber of the remote device used by user A. User A finally must alsotransmit information regarding the transferable value of the voucher tobe transferred as well as user's B central account number for centralaccount B to which the voucher is transferred to. Alternatively user Bcould establish a connection with user's B remote device and transmitthe information regarding user's B central account number. The recordingof the transactions in the dynamic log of a voucher is unchanged in thisvariation. If, as for example described above, user B does not use aremote device when receiving a voucher, then user's B central accountnumber is included in the dynamic log instead of the identificationnumber of user's B remote device. In this variation of the paymentsystem the capability of the central system must be extended to includeall necessary functions such as attaching a transaction code from thecentral system to the dynamic log of a voucher when the voucher istransferred between central accounts by the central system. Overall thecreation, use and movement of vouchers is not changed in this variationof the payment system other than that the vouchers are not stored andaccordingly transferred to and from memory locations residing within aremote device.

Evaluating the Identifying Digits and Log Digits

FIG. 5 is a flow chart showing the steps of evaluating the identifyingdigits and log digits to determine to which destination the voucher willbe transferred to, according to the invention. When receiving a voucherthe central processor 220 (FIG. 3) automatically searches thecirculating-voucher-account 40 (FIG. 4) to find a voucher with the samesubset of identifying digits, for example in this illustration the sameserial number. Once the copy with the same serial number is found (step501) in the circulating-voucher-account 40 (FIG. 4) the copy is erased(step 502) in that account. By finding the voucher in thecirculating-voucher-account 40 (FIG. 4), the central system 200 (FIG.1-B) is certain that the voucher has not been received before. A set oflog digits representing the inactivation of the voucher is attached tothe dynamic log (step 503) of the voucher. This inactivated voucher isthen stored in a memory location called inactive-voucher-account 50(FIG. 4) in the central memory 250 (FIG. 3) of the central system 200(FIG. 1-B). The inactivated voucher is replaced by a newly createdvoucher of which the identifying digits are numerically linked (detailsrefer to FIG. 6) to the inactivated voucher (step 504). This new voucheris then, to continue the example as discussed in FIG. 4 with user Bhaving transferred a voucher to the central system, stored (step 505) inuser's B central account B 21 (FIG. 4). User B can now either transferthis voucher to the user's remote device or redeem the voucher as isdescribed below.

If a copy with the same serial number is not found (step 501) in thecirculating-voucher-account 40 (FIG. 4) means that a voucher with thesame serial number has been returned earlier which indicates a seriousproblem in that a duplicate of the voucher does exist in the paymentsystem. An error signal for the system operator is automaticallygenerated by the central system (step 510). Now the system searches(step 511) for the voucher or vouchers with the same serial number byreviewing the central memory of all user central accounts such ascentral account A 11 (FIG. 4) and central account B 21 (FIG. 4), theinactive-voucher-account 50 (FIG. 4), the canceled voucher account 80(FIG. 4), the blocked redemption account 90 (FIG. 4) as well as theredeemed-voucher-account 60 (FIG. 4). Once the duplicate or duplicatesare found a report with all vouchers with the same serial number isprovided to the operator (step 512). Now the error source needs to betraced. By analyzing the dynamic log of the duplicate vouchers the pointin time and device can be located from where the logs start to deviate(step 513). This is a good starting point to identify the remote devicewhich likely sent the duplicate voucher. A good starting point for aninvestigation is provided, since the identification number of the remotedevice is linked to the corresponding central account number of thecentral account in the central system, and since the central accountnumber in the central system is linked to the external account number ofthe external account in the external system, and further since theholder of the external account in the external system is known. If anencryption key was used to translate the external account number in theexternal system into the central account number in the central systemthen an encryption key is needed to reveal the identity of the accountholder. There might be a policy on handling privacy issues in place orlegal limitations on desiring to reveal the account holder. It is,however, critical to observe that the existence of a duplicate voucheris detected as well as the likely source. It is now an operations andpolicy issue how to handle this situation. One solution could be aninsurance policy taken out by the operator of the central system toguarantee redemption to the users. In no event is an error carried fromthe payment system according to this invention to the external systemsuch as the banking system in this illustration. The central processor220 (FIG. 3) of the central system is programmed to automaticallytransfer (step 520) a voucher which could not be found in thecirculating voucher account 40 (FIG. 4) to a blocked redemption account90 (FIG. 4) which is located in the central memory 250 (FIG. 3).Vouchers in this account can not be redeemed without an operatorinterference.

To continue the illustration, user B who successfully deposited avoucher with a transferable value of 5 in the user's central account B21 (FIG. 4) at the central system 200 (FIG. 1-B) now decides to redeemthe voucher for its corresponding value of $5 in the external system 500(FIG. 1-B). User B, using the remote device 101 (FIG. 1-B), requestsfrom the central system 200 (FIG. 1-B) to transfer a voucher of value 5from the user's central account B 21 (FIG. 4) of the central system(FIG. 1-B) to the corresponding external account B 20 (FIG. 4) of theexternal system 500 (FIG. 1-B) the bank account. The balance of theexternal account B 20 (FIG. 4) of user B is now being increased by $5and the $5 are being taken out of the escrow account 30 (FIG. 4) of theexternal system 500 (FIG. 1-B). Simultaneously a set of log digitsrepresenting the redemption of the voucher is attached to the dynamiclog of the voucher just redeemed. The voucher is then taken out of thecentral account B 21 (FIG. 4) and placed in the redeemed voucher account60 (FIG. 4) of the central system 200 (FIG. 1-B).

When transferring a value between the external system 500 (FIG. 1-B) andcentral system 200 (FIG. 1-B) an additional step can be applied oftranslating the transferable value of a voucher in either directionusing an external value exchange rate. This could be for example acurrency exchange rate. Currencies from different external systems wouldbe translated into one value of vouchers, such as each one US $ equalsone unit of transferable value in the central system 200 (FIG. 1-B),whereas one German Mark equals 0.66 units of transferable value in thecentral system 200 (FIG. 1-B).

Vouchers are fixed in their transferable value, such as coins in ourdaily lives. When making a transaction the central processor 220 (FIG.3) or the remote device such as remote device A 100 (FIG. 1-B) canassemble a series of vouchers which are in the aggregate of the value tobe sent. When creating new vouchers a mix of vouchers of differentvalues can be created adding up to the desired total value. This mix canbe created by the central processor 220 (FIG. 3) which could be anoverall optimized mix or a customized mix evaluating parameters such ascurrent vouchers available and typical size of transactions. In additionif user A is left with only large value vouchers user A could requestthe central system 200 (FIG. 1-B), unless done automatically, to take avoucher out of central account A 11 (FIG. 4), inactivate the voucher,create a number of new smaller valued vouchers which add in total to thevalue of the inactivated voucher. The serial numbers, for exampleincluded in the identifying element of the newly created vouchers arelinked to the serial number of the original now inactivated voucher thusthe reconciliation and tracing abilities are not lost.

Setting Identifying Element and Increasing Dynamic Log of a DigitalVoucher

FIG. 6 is an illustration for setting an identifying element as well assetting and increasing a dynamic log of a digital voucher, according tothe invention. A digital voucher includes an identifying element made upof a series of identifying digits in an exclusive order. The voucherfurther includes a dynamic log having a series of log digits. These logdigits increase whenever there is a transaction involving the voucherthus recording the transaction history or history of movement of thevoucher through the system. This allows a system operator not only toreconcile the vouchers but also to recreate the movement of a voucher.By evaluating the histories of vouchers irregularities can be detectedearly and be traced to their likely source. This invention could best becompared to a piece of paper which can be redeemed for a dollar bill. Onthis piece of paper, whenever it is handed to another person,information is written such as the date and the account number of theperson. All information written on the piece of paper can be in anencrypted form, therefore it is kept disguised and therefore anonymous.However, if an irregularity is detected the history, the informationwritten on this piece of paper representing the value of the dollarbill, can be decrypted by authorized persons and the history can then berevealed including the identities of persons through whose hands thepiece of paper moved.

A voucher is created (step 1000) by taking the digits representing thetransferable value 1001 which is transferred from the external system500 (FIG. 1-B) to the central system 200 (FIG. 1-B). The central system200 (FIG. 1-B) attaches to this value 1001 an identifying elementincluding information such as a serial number 1002 which has not beenused throughout the system before, as well as the central account number1003 of a central account for which the voucher was created for and intowhich the voucher is deposited such as the account number of centralaccount A 11 (FIG. 4). In addition a digital signature can be added bythe central system to the identifying element. The central system uses,for example a private key to create the signature. The remote devicewhen receiving a voucher uses the corresponding public key to decryptthe digital signature included in the identifying element thus verifyingthat the voucher received was actually created by the central system. Adigital signature is not included in the illustration of FIG. 6.

Furthermore, log digits representing a transaction code of the centralsystem recording the creation of the voucher by the central system areattached 1004. This represents the first entry in the dynamic log. Atransaction code can be a simple set of digits such as the time of thetransaction or a sequential number increasing by 1 whenever atransaction takes place. Whereas time can be in the format of date ormonth, day, hour, second etc. or any understandable or machine readableformat. A transaction code in general can also be a highly descriptiveand complex code including a large volume of information such as time,description of type of transaction, digital signature, security code,identification and authorization codes and, or any other elementsrelating to a transaction.

When the above described voucher is transferred (step 2000) from thecentral system (FIG. 1-B) to the remote device A 100 (FIG. 1-B) of userA the central system attaches another transaction code 2001 to thedynamic log. The receiving remote device A 100 (FIG. 1-B) attaches itsown transaction code 2002 to the dynamic log which again can be simpleor complex as mentioned above. In addition the identification number2003 of remote device A 100 (FIG. 1-B) is attached to the dynamic log.

When the voucher is now transferred (step 3000) from the remote device Aof user A 100 (FIG. 1-B) to a second remote device B 101 (FIG. 1-B) ofuser B the remote device of user A attaches transaction code 3001 to thedynamic log. The remote device of user B 101 (FIG. 1-B) attaches itstransaction code 3002 and its identification number 3003 to the dynamiclog.

When the voucher is moved (step $000) by user B .o the central system200 (FIG. 1-B) using the remote device B 101 (FIG. 1-B), this deviceattaches its transaction code 4001 to the dynamic log. The centralsystem 200 (FIG. 1-B) attaches transaction code 4002 to the dynamic log,and once the matching serial number is found in the circulating voucheraccount an inactivation code 4003 is attached by the central system 200(FIG. 1-B) to the dynamic log.

Immediately, nearly simultaneously a new linked voucher is created (step5000). The identifying digits 5001 representing the transferable valueremain unchanged by copying the transferable value 1001. A linkedidentifying element 5002 is also created. The link in the example of theserial number can be the old serial number expanded by dot-I (0.1). Inaddition the central account number B 21 (FIG. 4) 5003 of the user Binto which account the voucher is now being placed is included in theidentifying element. In addition the central system 200 (FIG. 1-B)attaches its transaction code 5004 to the dynamic log.

Now user B is redeeming the voucher (step 6000). The central system 200(FIG. 1-B) attaches a transaction code 6001 as well as the redemptioncode 6002 to the dynamic log. The redemption code ends the circulationof a voucher.

The in above FIG. 6 described setting of the identifying element and thedynamic log of a voucher is an illustration. There are a variety ofother methods available to setting the digits for the identifyingelement as well as the dynamic log. If there is an irregularity like aduplicate serial number or duplicate of a complete identifying elementthe two or more vouchers in question can be evaluated by, for example,comparing the dynamic logs. The transaction code after which the logsstart to differ is the starting point for the analysis. In a next stepthe identification number of the remote device of the last commontransaction is of interest since it is likely that that remote devicehas created the duplicate and sent it to more than one party. Now theidentity of the user of that remote device can be revealed. Ifencryption was used, the identification number of the remote device isdecrypted. This reveals the central account number of the centralaccount of the user of the remote device in question. Once this accountnumber is known it can also be decrypted if it was encrypted and theaccount number of the external account is thus revealed. The accountholder of that external account is usually known us is the case if theexternal system is a bank. Therefore, once the account number in theexternal system is known the account holder can easily be identified bythe operator of the external system.

The central processor 220 (FIG. 3) is programmed to block thetransaction of redemption for a voucher once a duplicate serial numberor duplicate of a complete identifying element is detected. Similarlythe central processor 220 (FIG. 3) and or the remote device can beprogrammed to evaluate the identifying element and or dynamic log of allvouchers as they are received by the remote device or central systemaccording to certain criteria which determine the next destination thevoucher will be transferred to. Whereas destination can be an account ora transaction to be performed. For example there could be a lotterywhere the winner must have a certain sequence of digits to be found inthe dynamic log. Once this sequence of digits is discovered the voucherwith these digits is moved to a separate account or destination which inturn or in addition alerts the operator or the user of the event.Instead of searching for a certain lottery number the search couldinclude a certain set of identification numbers or access numbers, orother particular sequences of digits representing for example, stolendevices or vouchers. If for example a remote device is stolen theoperator of the central system can be alerted as soon as a voucher isreturned to the central system showing a recent transaction with thestolen remote device's identification number. Again analyzing thedynamic log can help to trace the potential thief. In addition remotedevices as well as the central system can, once connected, alsoauthenticate each other before continuing transactions. Whenever aremote device is connected to the central system or whenever the remotedevice is connected to another remote device the device identificationnumbers are transmitted and checked against previously received and inmemory stored information and commands to possibly restrict furthertransactions. Therefore once the identification number of a stolendevice is known no other remote device, once aware of the problem willaccept vouchers from the stolen device.

In addition to the history of transactions other log digits includingother data could be attached to a voucher. For example when purchasingsomething a specialized merchant remote device could attach a receiptdescribing what has been purchased or attach loyalty bonus points. Oncethe voucher with this attached information is returned to the centralsystem the system reads this information and stores it in a separateaccount or memory location. This expands the payment system to a multipurpose use system. In addition to payments other services such as themanagement of loyalty programs and personal finances can be offered. Forexample the merchant receipts could be formatted in a format as it isused in commercially available personal financial software packages. Thedata collected could be transferred via e-mail for example to the useron a regular basis or on-demand. Or the bonus points could be tracked ina separate bonus account, with monthly statements. Or the user couldsell a copy of his receipts to a marketing research company.

Digital Receipts

In a further expansion a user's remote device will receive a digitalreceipt (also called simply receipt) each time a voucher is transferredfrom the user's remote device to another remote device or to the centralsystem or received from the central system. These digital receipts areuseful when a remote device is lost or stolen. In the case of loss ortheft the vouchers contained in the lost remote device at the time ofloss or theft can be identified to a large extent and in the case ofloss be replaced. In the case of theft the digital receipts can furtherprovide the central system operator with an early lead to possibly trackthe thief. These receipts include at least a portion of the identifyingelement of the voucher which was received, such as in the illustrationbelow, the serial number. In addition the receipts include theidentification number of the sending remote device or the sendingcentral system followed by the identification number of the receivingremote device or the receiving central system. If the central systemdoes not have an identification number then a code representing thecentral system is added. In addition the receipts include the time forexample month, day, hour and second when the receipt was created,immediately after the transaction of transferring a voucher iscompleted. One copy of the receipt is stored in this illustration eachby the receiving and sending remote device. Each remote device has aseparate memory location called sent-voucher-remote-device such assent-voucher-remote-device A 12 (FIG. 4). The display 160 (FIG. 2) canshow the user a message indicating that the receipt has been receivedand therefore the transaction has been executed successfully.Furthermore each time a remote device such as remote device A 100 (FIG.1-B) interacts with the central system 200 (FIG. 1-B) these receipts areautomatically downloaded to the central system 200 (FIG. 1-B). Therethey are stored in a separate memory location calledreceipts-from-remote-device-account 70 (FIG. 4). When a voucher returnsto the central system and is inactivated the receipts with, in thisillustration, the same serial number are erased fromreceipts-from-remote-device account 70 (FIG. 4). (Note for eachtransaction a pair of receipts can exist, one from the sending and onefrom the receiving remote device.) If a receipt is received by thecentral system after the voucher is already inactivated the receipt iserased.

Now if a remote device is reported missing or stolen all receipts ofvouchers received by the missing or stolen remote device with theidentification number of the missing or stolen remote device attachedwhich are in the receipts-from-remote-device-account 70 (FIG. 4) arefound by the processor of the central system. As over time at least oneof the pair of receipts is likely to be received by the central systemthe vouchers corresponding to these receipts represent the known maximumnumber of vouchers which could have been in the missing or stolen remotedevice at the time of the theft or loss. This is from hereon defined asmaximum number of vouchers. Note that receipts of vouchers which theremote device either sent to the central system or which wheretransferred to another remote device and that remote device transferredthe voucher back to the central system are not included (as is desired)in the maximum number of vouchers, since once these vouchers werereturned to the central system the corresponding receipts were erased.

From this maximum number of vouchers the following must be subtracted toarrive at the vouchers residing in the remote device: a.) vouchers whichhave been transferred to other remote devices and the receipts of whichwere downloaded to the receipts-from-remote-device-account 70 (FIG. 4)of the central system 200 (FIG. 1-B). All receipts in thereceipts-from-remote-device-account 70 (FIG. 4) for vouchers which weresent from the missing/stolen remote device to another remote device mustbe found by the central processor since the vouchers corresponding tothese receipts clearly no longer reside in the missing/lost remotedevice. This can easily be done by the central processor searching forreceipts with the identification number of the stolen/missing remotedevice showing that a voucher has been transferred. b.) vouchers whichhave been transferred to other remote devices, and the receipts of whichwere not downloaded to the receipts-from-remote-device-account 70 (FIG.4) of the central system 200 (FIG. 1-B). This is the case when, forexample the lost remote device A passed on a voucher to remote device Bbefore the loss, and the remote device A is lost before it has a chanceto transmit its copy of the receipt to the central unit, and when thereceiving remote device B has not yet established a connection with thecentral system to download its copy of the receipt. Generally if remotedevice B is in regular use the time span between connections between theremote device B and the central system is short. Therefore, in generalthe central system will receive all receipts in a short period of timeand thus can rather quickly arrive at an estimate which vouchers havebeen in the stolen/lost device at the time of loss or theft. All of theabove subtracted from the "maximum number of vouchers" is defined as"estimated vouchers in the remote device".

Theoretically above mentioned remote device B could become inactive overa long period of time. Therefore, from a practical point of view thecentral system operator could set up rules such as to inactivate (letexpire) vouchers if they have not been returned to the central system bya certain time, or allow the storage in a remote device for only alimited time, after which the voucher is inactivated.

As a precaution and in the case of theft all "estimated vouchers in theremote device" can be canceled. The canceled vouchers are stored in aseparate memory location called canceled-voucher-account 80 (FIG. 4).The cancellation also means that the voucher is taken out of thecirculating voucher account 40 (FIG. 4). Whenever a voucher is returnedand not found in the circulating voucher account thiscanceled-voucher-account must also be checked. Now when a canceledvoucher is returned to the central system it must be determined byanalyzing the date and time included in the transaction code in thedynamic log whether the return is "legitimate" meaning that the stolenor missing remote device transferred the voucher to another remotedevice before the remote device was reported stolen or lost. If thevoucher is "legitimate" the voucher is taken out of the canceled voucheraccount 80 (FIG. 4) and is replaced with a new voucher with in thisillustration, a serial number which i5 linked by a set of identifyingdigits to the canceled voucher to keep a historic trail. If the voucheris "illegitimate" the log of the canceled voucher provides a possibletrail to the thief. In addition in either event the maximum number ofvouchers is reduced by the returned voucher. Finally, since over time itis possible to identify vouchers which are lost or stolen but notreturned for redemption, the system operator can decide to replace thesevouchers. In addition when a theft occurs more aggressive, proactivesteps can be undertaken such as to transmit to remote devices theidentifying elements of the vouchers stolen or likely stolen to preventthe acceptance of such a voucher by a remote device without priorchecking with the system operator.

In case of a report of theft the central processor will immediatelysearch for receipts or inactivated vouchers which show a time stamp,therefore activity, with a time after the time of theft of the stolenremote device. This offers the system operator a good lead to search forthe thief.

The receipt can in addition to the above outlined information alsoinclude any other information such as details about the item or servicepurchased, or any promotional message or coupon or any otherinformation.

It should be noted that receipts are a useful tool as illustrated aboveto, for example gain a quick insight into transactions and might also berequired by regulations concerning financial transactions. However, thecomplete history can be recorded in the dynamic log and thereforereceipts might not be necessary.

Advantages of Self-Contained Payment System With Circulating DigitalVouchers

The structure and method according to the invention has numerous andsignificant advantages over all conventional payment systems.

the remote devices can be used in an on-line environment such as theinternet. private networks, telecommunication networks etc. as well asin an off-line environment such as a face-to-face transaction. Vouchersaccording to the invention can be freely transferred from on-line tooff-line and back to on-line.

vouchers according to the invention can be passed from remote device toremote device and therefore from an individual to a business, from abusiness to an individual, from business to business as well as from anindividual to an individual.

vouchers according to the invention can be used without restrictions anddelays as soon as they have been received.

there is no value limit to a voucher according to the inventiontherefore macro and micro payments (less than $0.01) are possible.

the account numbers of the central system can be kept anonymous using atranslation algorithm protected by encryption. Therefore the system isanonymous, and the privacy of the individual is protected. However, thelogs of the vouchers according to the invention can be read byauthorized persons to track irregularities and therefore to prevent andtrace illegal acts such as counterfeiting. It is a policy issue for theoperator of the payment system according to the invention, not atechnical issue, to set the rules for revealing an individual's identityand transaction history.

the transport of vouchers according to the invention through any type ofnetwork is secure. With the help of the attached logs the source ofirregularities (e.g. counterfeiting) is easily and quickly tracked. Inaddition, common encryption technologies, as well as digital signatures,can be applied to add another level of security when the vouchers are intransit.

the integrity of the external system, the world financial systems isprotected. A payment system according to the invention is separated fromthe external system. Within the payment system vouchers are used whichare reconciled before they can be redeemed in the external system.

a user can receive receipts.

if a remote device gets lost, with the help of the receipts, thevouchers having been stored in the remote device at the time of loss canbe identified and therefore be replaced.

the payment system can handle different currencies.

the payment system according to the invention includes the capability ofbeing used as a multiple purpose system, for example, to manage loyaltyprograms such as frequent flier miles programs and to add otherinformation and data to a voucher at a time of transaction such ascoupons.

While the invention has been described with regards to specificembodiments and specifications, those skilled in the art will recognizethat changes can be made in form and detail without departing from thespirit and scope of the invention.

I claim:
 1. A method for creating and using a digital voucher,comprising the steps of:setting an identifying element having a seriesof identifying digits which include an exclusive order of digits,wherein said identifying element includes a pattern of digitsrepresenting a serial number that is unique to said voucher; setting adynamic log having a series of log digits; increasing the data in saiddynamic log whenever there is a transaction involving the voucher,wherein a transaction includes creation, any use or movement of thevoucher; and wherein said log digits contain data related to a historyof transactions.
 2. The method of claim 1, wherein the method furthercomprises the step of:evaluating said identifying element and dynamiclog of the voucher with respect to evaluation criteria which afterevaluation determines to which one of several possible destinations thevoucher will be transferred.
 3. The method of claim 2, wherein said stepof evaluating said identifying element and dynamic log is areconciliation before said voucher is allowed to be redeemed for saidtransferred value.
 4. The method of claim 1, wherein said identifyingelement includes a pattern of digits representing a transferable valuein an external system for which the voucher can be redeemed.
 5. Themethod of claim 4,wherein the attachment of a particular pattern ofdigits in said dynamic log provides that said voucher is inactivatedcreating an inactivated voucher and transforming the transferable valueof said voucher from an initial value to a value having no transferablevalue and creating a second series of vouchers having transferablevalues in smaller denominations than the original voucher; wherein saidsecond series of smaller vouchers are linked to said original voucherthrough a series of identifying digits in the identifying elements ofsaid second series of smaller vouchers wherein the total value of saidsmaller denominated vouchers equals the initial transferable value ofsaid inactivated voucher.
 6. The method of claim 1, wherein said logdigits include a time of each transaction recorded.
 7. The method ofclaim 1, wherein the step of increasing the data in said dynamic logincludes attaching an identification number of a device performing atransaction.
 8. The method of claim 1, wherein said log digits includedata in addition to the history of transactions for said voucher.
 9. Adigital voucher system comprising:an identifying element having a seriesof identifying digits which include an exclusive order of digits,wherein said identifying element includes a pattern of digitsrepresenting a serial number that is unique to said voucher; a dynamiclog having a series of log digits which together with said identifyingelement comprise a voucher data set; and a set of instructions for aprocessor to add data to said series of log digits whenever there is atransaction involving the voucher, wherein a transaction includes acreation of as well as any use of or movement of the voucher, whereinsaid dynamic log contains data related to a history of transactions. 10.The system of claim 9, wherein said set of instructions for saidprocessor includes instructions to evaluate said identifying digits andlog digits of said voucher with respect to evaluation criteria, theevaluation determines to which one of several possible destinations thevoucher will be transferred.
 11. The system of claim 9, wherein saididentifying element includes a pattern of digits representing atransferable value in an external system for which the voucher can beredeemed.
 12. The system of claim 11, wherein said set of instructionsfor said processor further includes instructions to evaluate saididentifying digits and log digits to perform a reconciliation beforesaid voucher is allowed to be redeemed for said transferable value. 13.The method of claim 11,wherein said set of instructions for saidprocessor includes instructions to attach a particular pattern of digitsto said dynamic log providing that said voucher is inactivated creatingan inactivated voucher and transforming the transferable value of saidvoucher from an initial value to a value having no transferable valueand creating a second series of vouchers having transferable values insmaller denominations than the original voucher; wherein said secondseries of smaller vouchers are linked to said original voucher through aseries of identifying digits in the identifying elements of said secondseries of smaller vouchers wherein the total value of said smallerdenominated vouchers equals the initial transferable value of saidinactivated voucher.
 14. The system of claim 9, wherein said log digitsinclude a time of each transaction.
 15. The system of claim 9, whereinsaid set of instructions for said processor increasing the data in saiddynamic log includes attaching an identification number of a device whenperforming a transaction.
 16. The system of claim 9, wherein said logdigits include data in addition to the history of transactions for saidvoucher.
 17. A system for executing transactions, comprising:a voucher,comprising:an identifying element, wherein said identifying elementincludes a pattern of digits representing a serial number that is uniqueto said voucher; and a dynamic log to which additional data representingthe transfer of the voucher is added whenever there is a transactioninvolving the voucher and a computer for executing a transaction,wherein said transaction includes creation of, use of, or movement ofthe voucher.
 18. The system of claim 17, further comprising:a remotedevice comprising:an input signal receiver for receiving said voucherssent to the said remote device; a memory for storing said vouchers andstoring an identification number of said remote device and storing anaccount number; an output signal generator for sending said vouchers;and a processor for storing said received vouchers in said memory,wherein said processor generates and attaches a remote device set of logdigits to said voucher, and wherein said processor retrieves vouchersfrom said memory and sends them to said output signal generator linkedto said processor.
 19. The system of claim 17, further comprising:acentral system comprising the following components:a central memorywhere memory locations represent accounts having account numbers,vouchers are stored in said accounts, the memory is connected to acentral processor; a central processor which:provides user with anaccount number in the central system and which allocates space in saidcentral memory for said account number; creates said identifying elementof said voucher; attaches a central system identifying set of log digitswhen performing a transaction; transmits said voucher to a first remotedevice; receives said voucher from a second remote device, where saidfirst remote device and said second remote device can be the same remotedevice; evaluates said identifying digits and log digits of saidreceived voucher; and redeems said voucher only after verifying thatsaid voucher has not been received earlier in said central system; acentral input signal receiver which receives said vouchers from any ofsaid first and second remote device and which is linked to said centralprocessor; anda central output signal generator which is linked to saidcentral processor and sends said vouchers to any of said first andsecond remote device.
 20. The system of either claim 18 or claim 19,wherein said log digits comprise any of:an identification number,time/date information, a serial number, loyalty bonus points, atransaction receipt, a transaction coupon, a sweepstakes transaction, alottery transaction, or a transaction bill.
 21. The system of claim 20,wherein said log digits are stored in a separate account which isoptionally remotely located.
 22. The system of claim 20, wherein saidlog digits are stored in an application specific format.
 23. The systemof claim 22, wherein said log digits are transferred to saidapplication.